cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36267
Views
0
Helpful
4
Replies

disable diffie-hellman-group1-sha1 Cisco 2811 Os v.12.4(24)T2

oscar.martin1
Level 1
Level 1

Is it possible disable diffie-hellman-group1-sha1 in a Cisco 2811 Os v.12.4(24)T2 router?

I put this command:

> ip ssh dh min size 2048

for 2048 bits, but in security scanning says that it permits:

| kex_algorithms: (3)

| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1

So no pass security certification. For Cisco ASA there is a command like this:

> no ssh ssh key-exchange {dh-group1 ........

But I need for a Cisco 2811 router, and doesn't exist that command. Also I've tried:

> no ip ssh dh min size 1024

but I  don't achieve the desired result.

Thanks,

Oscar

Gracias

Oscar

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

I don't believe you can prevent it from showing that up.

However the "ip ssh dh min size 2048" should prevent the use of diffie-hellman-group-exchange-sha1.  If you can verify this then you have complied, just the scan is giving a false positive.

Hi Philip,

the problem is when I try a debug with a ssh client forcing the use of DH Group-1:

$>  ssh -vvv -o "KexAlgorithms diffie-hellman-group1-sha1"  user@router2811_ip:

..............................

debug2: kex_parse_kexinit: diffie-hellman-group1-sha1             (forcing algorithm from client)

...............................

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1                                      (algorithms permits from server)

................................

debug2: dh_gen_key: priv key bits set: 121/256
debug2: bits set: 504/1024                                      (when you don't force from client it says .../2048)

.........................................

I understand that router is not forcing to a minimal 2048 bits, it looks like a default option.  So, it's possible the use of DH-group1 (with force parameters by client), and it's possible that it doesn't pass security pci certification.

Thanks,

Oscar

I just tested this on a Cisco 2911 running 15.4(3)M4.

First I tried connecting using your command and it worked fine.  Then I put the "ip ssh dh min size 2048" command in the config, and using the same "ssh" command you gave I tried connecting and it refused.

Note that it still appears to offer diffie-hellman-group1-sha1, but refuses to connect with it.

I note that 15.4(3)M4 is not available for the 2811, due to its age.  So I recommend going to the "gold star" release of 15.1.4M10.  I am about 90% confident that will resolve your issue.

https://software.cisco.com/download/release.html?mdfid=279120799&softwareid=280805680&release=15.1.4M10&relind=AVAILABLE&rellifecycle=MD&reltype=latest

If it doesn't resolve your issue, and this is really important to you, then you have no choice but to replace the 2811.  You could either use a 2911 running 15.4(3)M4, since you know it definitely works, but you should really be looking at a 4000 series router, since both the 2811 and 2911 have been superseded by them.

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/models-comparison.html

debug2: local client KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with 192.168.72.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

the-gorn
Level 1
Level 1

.

Review Cisco Networking for a $25 gift card